ResultIt looks like request validation has been turned off. Making a request to the site with the malicious URL above is returning the same response body as a legitimate request so the app appears to be accepting the XSS payload in the query string. Request validation is easy to enable, just configure the web.config to ensure "validateRequest" is set to "true" (this is also the default if no setting exists):

<pages validateRequest="true" />

Also make sure the individual Page declarations have ValidateRequest set to "true" (this is also the default if no setting exists):